The internet’s no different to real life: most people are nice, but a few are out to get you. Telling the difference between websites and emails that are legitimate and those that are malicious is actually very easy, and all it usually takes is exactly the same kind of assessments you’d make when dealing with real shops and real people.
What follows is a kind of generic ‘best practice’ guide to staying safe online. It’s not written specifically for people on Macs or PCs, or those using particular programs to access the web or email; though there’ll be a few examples that use a given application, the advice can be applied to more than just that tool. We start with the most general advice possible.
The internet is safe
Sure, there are plenty of provisos and qualifications I could slap on the end of that statement, but it’s nevertheless broadly true, especially if I’m comparing it to real life. Transactions that take place over secure connections to websites (of which more later) are encrypted – converted to gobbledegook before being sent so that even if someone with malicious intent intercepts it, it’s useless – and the same is true for online banking. The system isn’t perfect, but if you behave online the same way as you do on the high street – cautious but not paranoid – it’s at least as safe, and I’d argue it’s even safer.
If it looks dodgy, it probably is
You probably wouldn’t dream of handing over your credit card to a shifty character in a shiny suit behind the counter of a shop whose storefront branding consists of a hastily-printed banner tacked up over the door, so apply the same common sense to sites you may be tempted to buy from online. It’s not a rigid rule – just as in real life, some perfectly legitimate stores will look a bit shambolic, especially if they’re in a very niche market – but still, be sensible. And apply the ‘if it looks too good to be true, it probably is’ maxim too.
Trust the big names
Many people would rather buy bed linen from, say, Debenhams than a market stall, even though the latter may be cheaper and closer. Much of this comes from an innate trust of big brands; not only do they have a visible track record, but they have lots to lose if anything goes wrong. The same is true online; I know that if I buy from Amazon I’m going to get good service both because I and others have used it successfully before, and because it’s in Amazon’s interests to keep me happy. Yes, smaller companies may well offer better deals and customer service – and I’d encourage you to explore smaller, independent stores as your confidence increases – but if you’re nervous about buying online, simply use stores you trust. This may mean stores that have made the transition from ‘bricks and mortar’ physical stores to the internet, and that’s fine.
Secure websites
Any time you’re being asked to make a payment online, check that the connection is secure. If it’s not, do not make the payment online; ask the vendor why the payment system isn’t secure, or simply buy elsewhere. How do you know? There are two ways:
https://www...
The web address, which usually starts
http:// will have changed to
https://
If you care about the geekery, that’s a change from Hypertext Transfer Protocol to Hypertext Transfer Protocol over Secure Socket Layer. More usefully, however...
Padlock symbol
If a site is secure, a padlock symbol will be displayed on the browser window in a particular place. Icons and symbols shown inside the main body of the website alongside other content may be bogus, but if you get the symbol on the window itself, it means the site is secure. Website creators, as a rule, can only control what appears inside the body of a browser window; they can’t add the padlock symbol onto the window itself in the locations highlighted below unless the site actually is secure. (Of course, the presence of a padlock just means that there’s a secure connection to the website, not that the website itself hasn’t been created by someone with malevolent intent. If you know that the correct web address for Amazon is www.amazon.com and you’re on a site called www.amazon-online.co.uk, it doesn’t matter that the connection is secure; you’re simply sending encrypted information to a potentially dodgy site. Check the web address you’re connected to as well!) If you’re using the latest version of Internet Explorer on a PC, you’ll see the symbol in the address bar:
And in Safari on a Mac, it’s at the top right of the window:
You can click on the padlock to get some more information on who has signed the secure certificate if you like, and again, if you have any doubts, stop and contact the site. These days, browsers’ address bars – the bit where you type a web address – will change to green when a site is correctly secured.
Note that some sites have started using schemes such as Verified by Visa or MasterCard SecureCode, both part of the 3-D Secure protocol; these add an additional layer of security when making online purchases by asking you for login details for your card after the main transaction page on the online site. It’s a genuine scheme, though it has drawn criticism because it can be difficult to confirm that it’s not a page masquerading as legitimate. Again, simply contact the vendor if you’re unsure.
Identifying malicious emails
Everybody gets junk email, and while some of it’s just annoying, most is actively trying to get important personal information from you, or even to damage your computer. There are a few specific things you can do to tell whether or not an email is safe, but it’s worth remembering some basic rules too.
Don’t know them? Don’t trust them...
When was the last time you got a nice, chatty letter through your front door from somebody you didn’t know? It happens very rarely, and the same thing’s true of email. If you really don’t know the person who has emailed you, exercise caution.
Not a customer?
If you don’t bank with Halifax, say, and you get an email from them asking you to log in and administer your account, you can be pretty sure it’s dodgy. If you’re getting emails from companies that you’re not a customer of, you can bin them immediately in most cases.
Treat attachments with caution
...unless you have reason to believe they’re legit. If your colleague or daughter sends you an attachment, it’s probably OK, right? But if you get an email from someone you don’t know asking you to ‘check out these cool pics!’ you should be careful. Mac users are a bit luckier here as malicious programs designed to run on PCs to compromise your security or damage your computer won’t run on a Mac, but you should still be careful. Remember, too, that big businesses – banks, say – will almost certainly never send you anything by attachment.
Just because it looks legit doesn’t mean it necessarily is
It’s very simple for someone to create an email that looks identical to one you might get from your credit card company, say, so don’t be suckered in just because it looks official.
Don’t trust the ‘from’ field implicitly
It’s very easy to fake a ‘from’ address in an email or to create an address that’s not necessarily official, but looks perfectly reasonable. (Let’s say you bank with Bank of Scotland; someone may send you an email from info@bank-of-scotland.co.uk, even though that address is nothing to do with the Bank of Scotland itself, which may have email addresses ending in ‘@bankofscotland.co.uk’.)
Log-in details
No reputable company will ever – ever – email you asking you to confirm your log-in details. Be immediately suspicious of any email that says your account has been locked or suspended until you log in and do something. It is at least theoretically possible that something has happened to your account, but in that case, follow the advice in ‘Don’t click on a link in an email’, below.
Don’t click on a link in an email
Your bank may well send you emails that tell you a statement is ready and provide a link you can click on to take you there. (None should ever actually send you financial information by email itself; it’s just too hard to control the safety.) Get out of the habit of clicking on these links, however; though some may be legit, some official-looking ones may not be. Regardless of whether the email actually came from your bank, don’t click on the link. Instead open a new browser window in Internet Explorer or Safari, say, type in the bank’s address, and log in manually; yes, it’s a little less convenient, but it’s much safer.
Check links’ target
Malicious emails’ links will point not to legitimate websites but to dodgy sites that will try to capture login details for your bank or other service. It’s easy to check: most email clients will let you hover the mouse over a link – move the pointer over the link and wait a couple of seconds – and it will show the web address of the page it would open if you clicked on it. Actually, even this can be masked; the only way to neutralise the threat here is to right-click on the link and choose ‘copy link’ or similar; you can then paste this into a plain text document to check where it’s pointing. Some target web addresses will be very close to what you’d expect, such as this one that claims to be from PayPal, but in fact points to payspal.co.uk.
I’ve also had emails ‘from’ HSBC that point to hbsc-online.com, or miscreants might be lazy and cheap, and point to web addresses that are clearly nothing to do with the organisation they claim to be from, such as
http://blogspress.net/vip/logs/customer.htm.
Scammers might use ‘sub-domains’ too to trick
you into thinking the target address is correct. The
address
http://online.lloydstsb.co.uk.abitsystem.com/customer.ibc?WT.svl=ibcplogon
looks more legit than many since it starts with
‘online.lloydstsb.co.uk’, the correct web
address for Lloyds TSB. In fact, however, the actual
address it’s pointing to is abitsystem.com. To
understand why, you need to understand how web addresses
are structured.
http://www.bankofscotland.co.uk/personal
This bit just tells the system to use hypertext transfer protocol, basically just defining how information is transferred from other computers on the internet to yours. It never usually changes, except to include the secure ‘s’ detailed in the ‘secure websites’ section, above.
http://www.bankofscotland.co.uk/personal
Technically, this isn’t necessary or could be anything at all. In practice, though, most websites start ‘www.’
http://www.bankofscotland.co.uk/personal
This is the site’s main address. Read left to right, it’s either the very last thing in a web address, or the last thing before a / that points to a specific page on the site; the double slash in ‘http://’ doesn’t count.
http://www.bankofscotland.co.uk/personal
This ‘/personal’ bit tells you that you’re looking at a particular page on the site, in this case, Bank of Scotland’s personal banking page.
http://www.personal.bankofscotland.co.uk/
Some sites might use subdomains instead of a ‘/whatever’ structure; here, it’s personal.bankofscotland.co.uk. They’re perfectly legitimate, but you have to be careful that someone hasn’t tacked a legit address in front of a dodgy one. Remember, read from left to right, the actual address that a link is pointing to is either the last thing in the web address or it’s the last thing before a / symbol; the double slash in ‘http://’ doesn’t count. In the example under the picture above, find the first / and look immediately to the left.
http://online.lloydstsb.co.uk.abitsystem.com/customer.ibc?WT.svl=ibcplogon
is actually pointing to a site at abitsystem.com, not
online.lloydstsb.co.uk.
Don’t have a guilty conscience!
This email looks perfectly official – except I haven’t sold a laptop on eBay! The sender’s threat to report me to eBay, PayPal and the police are designed solely to get me to respond without thinking; don’t be drawn in!
Spelling
Spam emails will often have poor spelling, either because the writer’s English isn’t great, or as a deliberate tactic to try to evade spam filters.
Protecting yourself from getting more spam
Some emails are after your login details, but some just want to know that your email address is active so they can sell it on to other people who might want to do more. This is often because lots of spamming systems simply guess email addresses; they know that lots of people have email addresses that end in @hotmail.com, for example, so it’s probable that someone is using john_anderson@hotmail.com as their email address. Computers send out emails to lots of guessed email addresses and see if they’re ‘active’ – that is, that someone is actually getting and reading them.
Turn off images
Pictures that show up in emails – or even tiny little pictures that you might not actually see – are often not actually not sent along with the message, but stay on a computer somewhere in the world; when you open an email that contains pictures, a message is sent to that computer requesting that picture so that it can be shown in the email. That’s fine. The problem is that when someone sends you an email to try to work out if your address is active, they can use this technique to embed specific codes in the images that are requested that will confirm that someone – you – is opening and viewing that message. Outlook on the PC and Entourage on the Mac turn HTML images off by default, but if you’re using Mail on a Mac, you have to uncheck the ‘Display remote images in HTML messages’ option under Mail’s Viewing preferences.
Most clients give you the option of overriding this for specific messages; if you believe a message is legitimate, by all means load up the images. In Mail, click the ‘Load images’ button:
And in Outlook, you can either right-click on specific images, or download them all with the highlighted ‘Click here...’ message:
Don’t click the ‘unsubscribe’ button
Some emails have a link at the bottom to allow you unsubscribe or ‘stop getting emails like this’. You might think this is a great way to stop receiving junk email, but ironically it’s actually likely to make the problem worse. While unsubscribe links from big, reputable companies will indeed do what they say, spammers just use the fact that you’ve tried to unsubscribe as another a way of confirming that your email address is active; if you send an email from peter@example.com asking them to stop sending you Viagra ads, say, you’ve just confirmed that their guess that someone actually receives mail at peter@example.com is correct, and you’ll get flooded with more as your email address gets sold to other ne’erdowells.
What to do with dodgy emails
If you’ve used these techniques to identify malicious emails successfully, here’s what you can do:
- Delete the message This is the easiest option, and if you’re in a rush, a quick tap on the delete key lets you simply get on with your life.
- Mark the message as junk or spam The spam filtering in most email clients or stand-alone applications is capable of learning. By marking a dodgy piece of mail as junk, you’re helping train it; you should see less in future.
- Bounce the message Some email applications let you bounce a message back to the sender. This makes it look like it wasn’t delivered to you, and may be useful in discouraging spam. Use carefully, however; a delay between the message being received by you and bounced back might make it clear to the sender that a human bounced it manually.
- Tell the legit site If you’ve had an email purporting to be from PayPal, for example, but which you can see actually isn’t, let PayPal know; many sites have dedicated spoof@... or phishing@... email addresses that you can send suspicious email to. You’ll often get an automatic response from the company involved confirming that it’s malicious, and in any case you’ll be helping them identify trends and new threats.
Disclaimer
Much of the information in this guide can be categorised as lies-to-children; that is to say that while it’s not perfectly correct, it’s a very useful half-truth designed to aid understanding. As your understanding increases you’ll be able to see where I’ve fudged details or drawn analogies that are technically inaccurate despite their usefulness in understanding what’s going on. This guide is written not for technical experts but for those finding their feet online and trying to understand what constitutes safe behaviour patterns in using the web and email. Feedback is welcome, but I’m afraid I can’t offer technical support.
THIS INFORMATION IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. CHRISTOPHER PHIN WILL NOT BE HELD RESPONSIBLE FOR ANY INJURIOUS OUTCOMES ARISING FROM THE USE OF INFORMATION FOUND ON WWW.RECEDINGHAIRLINE.CO.UK, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA. ALWAYS MAINTAIN A CURRENT BACKUP OF IMPORTANT DATA.